@RISK Newsletter for December 15, 2016

The consensus security vulnerability alert.

Vol. 16, Num. 50

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.

CONTENTS:

TOP VULNERABILITY THIS WEEK: Mirai Variant Targets Modems Used By Deutsche Telekom Customers

NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft Releases Final Monthly Set of Security Bulletins for 2016 Description: Microsoft has released its final set of security bulletins for 2016 with its December release. This month’s release sees 12 new bulletins addressing 42 unique vulnerabilities. Six bulletins are rated critical and address security flaws in Edge, Internet Explorer, Graphic Component, Office, Uniscribe, and Adobe Flash. The remaining six bulletins are rated important and address vulnerabilities in .NET, the Common Log File System Driver, and various different aspects of the Windows Kernel.Reference: https://technet.microsoft.com/library/security/ms16-decSnort SID: 40647-40648, 40936-40990, 40992-40993

Title: Apple Releases Security Updates for its Operating Systems (iOS, macOS, tvOS, watchOS), iCloud, iTunes, and Safari Description: Apple has released security updates for its operating systems (iOS, macOS, tvOS, and watchOS) and components such as iCloud, iTunes, and Safari. Overall, 71 vulnerabilities in macOS and 64 vulnerabilities in iOS were addressed with the most severe being arbitrary code execution of the user’s choosing as well as privilege escalation flaws.Reference: https://support.apple.com/en-us/HT201222Snort SID: Detection pending release of vulnerability information

Title: Adobe Releases Security Updates for Digital Editions, Flash Player, and other products Description: Adobe has released security updates for various products such as Digital Editions, InDesign, Experience Manager, Flash Player, and more. The Flash Player security bulletin addresses 16 vulnerabilities with one (CVE-2016-7892) being used in “limited, targeted attacks against users running Internet Explorer (32-bit) on Windows.” As with previous advisories, most of the Flash Player vulnerabilities that were fixed were user-after-free vulnerabilities, buffer overflow vulnerabilities, and memory corruption vulnerabilities. Users are advised to disable or remove Adobe Flash Player from their systems if it’s deemed unnecessary and to upgrade if it’s required.Reference: https://helpx.adobe.com/security.htmlSnort SID: Detection pending

Title: Various Netgear Routers Found To be Vulnerable to Arbitrary Command Injection Description: Researchers have identified that various Netgear router models contain an arbitrary command injection vulnerability. An attacker who convinces a user to visit a specifically crafted website could execute arbitrary commands on the device. Alternatively, a user who sends a specifically formatted request directly to the device can also execute arbitrary commands. Note that while there is no permanent solution to address the vulnerability currently, there is a way to “temporarily disable the vulnerable web server” using the “very vulnerabilities that exist on affected routers.” Netgear is aware of the issue and is currently in the process of developing a firmware update to address the vulnerabilities.Reference: - http://www.kb.cert.org/vuls/id/582384

Title: Critical Vulnerabilities in McAfee VirusScan for Linux Addressed Description: An independent researcher has identified several critical vulnerabilities in McAfee VirusScan For Linux where an attacker could achieve remote code execution as root on an affected device. Achieving remote code execution requires the attacker to combine various exploits to brute-force authentication tokens, reconfigure the service to poll a malicious update server, and force the the creation and execution of a malicious script on the vulnerable device. McAfee has released a patch to address these vulnerabilities.Reference: - https://kc.mcafee.com/corporate/index?page=content&id=SB10181

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2016-7892Title: Adobe Flash Player Use-After-Free Code Execution Vulnerability Vendor: AdobeDescription: Remote exploitation of a use-after-free vulnerability in Adobe’s Flash Player could allow attackers to execute arbitrary code. Adobe is aware of a report that an exploit for CVE-2016-7892 exists in the wild, and is being used in limited targeted attacks.CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)